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Abstract 

In the m-out-of-n Oblivious Transfer (OT) model, 
one party Alice sends n bits to another party Bob, Bob 
can get only m bits from the n bits. However, Alice 
cannot know which m bits Bob received. Y.Mu and 
Naor presented classical m-out-of-n Oblivious Trans- 
fer based on discrete logarithm. As the work of Shor, 
the discrete logarithm can be solved in polynomial time 
by quantum computers, so such OTs are unsecure to 
the quantum computer. In this paper, we construct 
a quantum m-out-of-n OT (QOT) scheme based on 
the transmission of polarized light and show that the 
scheme is robust to general attacks, i.e. the QOT 
scheme satisfies statistical correctness and statistical 
privacy. 

Keywords. Quantum, Oblivious Transfer. 



1 Introduction 

A number of recent papers have provided com- 
pelling evidence that certain computational, crypto- 
graphic, and information theoretic tasks can be per- 
formed more efficiently by models based on quantum 
physics than those based on classical physics [9] . 

Oblivious Transfer (OT) is used as a key compo- 
nent in many applications of cryptography [11, 5, 10]. 
Informally speaking in an Oblivious Transfer, Alice 
sends a bit to Bob that he receives half the time (this 
fact is out of their control), Alice does not find out 
what happened. Bob knows if he get the bit or nothing. 
Similarly, in a l-out-of-2 Oblivious Transfer, Alice has 
two bits 6o, bi that she sends to Bob in such a way that 
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he can decide to get either of them at his choosing but 
not both. Alice never finds out which bit Bob received. 

In 2001, Naor presented a 1-out-of-n Oblivious 
Transfer [8], Y.Mu showed that m-out-of-n Oblivious 
Transfer could also be realized based on the discrete 
logarithm. In the m-out-of-n Oblivious Transfer(l < 
m < n) , Alice sends n bits to Bob, Bob can get only m 
of them. In the case of quantum, Claude Crepeau pro- 
vided a l-out-of-2 quantum Oblivious Transfer based 
on the transmission of polarized light in 1994. The 
protocol of Crepeau's can be used directly to imple- 
ment a one-out-of-three Oblivious Transfer. 

The organization of this paper is as following: in 
section 2, we give the definitions of the correctness 
and privacy of the m-out-of-n OT protocol. In section 
3, we review the l-out-of-2 OT of Claude Crepeau and 
its intuition. In section 4, we construct an m-out-of-n 
OT, and in section 5 we show that this scheme satisfies 
statistical correctness and statistical privacy . 



2 Definitions 

The natural constraints (see below) of correctness 
and privacy of a m-out-of-n 0T(1 < m < n) is showed 
below. 

Definition 2.1 Perfect Correctness: It should be 
that when Alice and Bob follow the protocol and start 
with Alice's input bits bi,b2, ■ ■ ■ ,bn and Bob's input 
Ci, C2, . . . , Cm £ {1, 2, • • • , n}, they finish with Bob get- 
ting 6ci,6c2, • • • 7^c„ G { b2, ■ ■ ■, bn}. 

Definition 2.2 Perfect Privacy: It should be that, 
Alice can not find out about c\, C2, . . . , c„i, and Bob 
can not find out more than m o/ 6i , 62 • 

The protocol we describe in the next section is of 
probabilistic nature. We cannot show that this proto- 
col perfectly satisfies the above constraints but satis- 
fies in a statistical sense: after an amount of work in 



0{N) time the protocol will satisfy for some positive 
constant e < 1. 

Definition 2.3 Statistical Correctness: It should 
be that , except with probability at most , when 
Alice and Bob follow the protocol and start with 
Alice's input bits bi,b2, ■ ■ ■ ,bn and Bob's input 
ci, C2, . . . , Cm, G {1, 2, • • • , n} they finish with Bob get- 
ting 6ci, 6c2, ■■■,bc^ e {6l, 62, • • • , bn}- 

Definition 2.4 Statistical Privacy: It should be 

that, except with probability at most , Alice can not 
find out Ci, C2, . . . , Cm, and Bob can not find out more 
than m of bi, 62, • • • , 

3 Quantum l-out-of-2 Oblivious 
Transfer 

In this section, we introduce the quantum l-out- 
of-2 OT provided by Claude Crepeau [3]. Let (§) 
denote the random variable that takes the binary 
value with probability 1/2 and 1 with probability 
1/2. Also, denote by [ ]j the selection function such 
that [ao,ai,---,afe]i = o^. Let and 
X = (l\)7 1 y)) denote respectively the bases of recti- 
linear and diagonal polarization in the quantum state 
space of a photon. The quantum l-out-of-2 OT is as 
follows: 

3.1 Quantum l-out-of-2 OT 

Protocol 3.1 l-out-of-2 OT{bo,bi){c) 

1. DOl^^ 

• Alice picks a random bit rj •*— 

• Alice picks a random bit Pi ^ (^and defines 
her emission basis (\(pi), ^ X]/3i 

• Alice sends to Bob a photon Wi with polar- 
ization [\<fi), \<fi~)]ri 

• Bob picks a random bit /?■ <— (^nd measures 
TTi in basis {\9i),\0^))^[%X]0'^ 

• Bob sets 

I ( 0, ifiTi is observed as \6i) 

' 1^ 1, if-Ki is observed as \6f-) 

2. DOf^^ 

• Bob runs commit(r'^) , commit{l3'j) , 

commit(r'^^^) , commit(j3'^j_^) with Alice 

• Alice picks Ci <— (§) and announces it to Bob 

• Bob runs unveil{r'^^._^^),unveil{(3'^^._^^) 



• Alice checks that Pna+i = P'nc +i ~^ 

• if Ci = then Alice sets Pi ^ Pn+i and ri <— 
rn+i and Bob set ^ |3'^J^^ and <- r'^_^_i 

3. Alice announces her choices PiP2 - ■ ■ Pn to Bob 

4- Bob randomly selects two subsets /o,/i C 
{1, 2, • • • , n} subject to |/o| = =n/3, /oH/i = 
and \/i € /c, A = P'i, and he announces {Io,Ii) 
to Alice 

5. Alice receives {Jq, Ji) ={Io, Ii) , computes and 
sends bo ^ i'o®0jejo "^i ""'^ ^1 ^ &i ©0jGJi 

6. Bob receives (60,61) and computes be ^ be ® 

3.2 Intuition behind l-out-of-2 OT 

In this l-out-of-2 QOT, Alice must prevent Bob 
from storing the photons and waiting until she dis- 
closes the bases before measuring them, which would 
allow him to obtain both of Alice's bits with certainty. 
To realize this, Alice gets Bob to commit to the bits 
that he received and the bases that he used to measure 
them. Before going ahead with r,, say, Alice checks 
that Bob had committed properly to r^+i when he 
read that bit in the basis that she used to encode it. 
If at any stage Alice observes a mistake {j3n+i = P'n+i 
but rn+i 7^ '^n+i)' stops further interaction with 
Bob who is definitely not performing his legal protocol 
(this should never happen if Bob follows his protocol) . 

In this protocol, rir2 • ■ • rn are chosen by Alice in 
step 1 and are sent to Bob via an ambiguous coding re- 
ferred to as the BB84 coding [1]: when Alice and Bob 
choose the same emission and reception basis, the bit 
received is the same as what was sent and uncorre- 
lated otherwise. Bob builds two subsets: one that 
will allow him to get 6^, and one 1^ that will spoil be- 
The calculations of steps 5-6 are much that all the bits 
in a subset must be known by Bob in order for him 
to be able to obtain the output bit connected to that 
subset. 



4 Protocol for Quantum m-out-of-n 
Oblivious Transfer 

4.1 Weak Bit Commitment 

In 1993, Gilles Brassard, etc provided a quan- 
tum bit commitment scheme provably unbreakable by 



both parties [2]. However, unconditionally quantum 
bit commitment was showed impossible [7]. In [4], 
Aharonov provided a weak bit commitment. 

Definition 4.1 [4J In the weak bit commitment pro- 
tocol, the following requirements should hold. 

• If both Alice and Bob are honest, then both Alice 
and Bob accept. 

• (Binding) If Alice tries to change her mind about 
the value of b, then there is non zero probability 
that an honest Bob would reject. 



If 



2m+l 



2„ — ^' there are more rs that satisfy 7^ f3i 
than required, so Bob should remove x i's that satis- 
fying PI ^ /3j from {1, 2, • • • , N}. x can be calculated 
as follows: 
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N-x 

X 



2m + 1 

2n 
(2m- 



1) 



2m + 1 



-N 



AT must satisfy (2n-(2m+l))(2m+l)|((2m+l)-n)iV 
so that X would be an interger. we let the i's that was 
removed from {1, 2, • • • , N} be ui, U2, ■ • • , u^- 



• (Sealing) If Bob attempts to learn information 
about the deposited bit b, then there is non zero 
probability that an honest Alice would reject. 

In the following scheme. Bob will use this weak quan- 
tum bit commitment to commit. 

4.2 Intuition for m-out-of-n OT 

In the m-out-of-n OT, Bob should build n subsets 
Ii, I2, ■ ■ ■ , In Q {1, 2, • • • , n}, m of that will allow him 
to get 6ci,6c2.---,^c„ (ci,C2,...,Cm e {l,2,...,n}), 
and the other /'s will spoil the remnant b's. In Ii U 
/2U - • - U/n, the rate of the i's satisfying = /3j would 
be more than — and less than 



m+l 



I.e. 



n - |/iU---U/„| 



Ul„} ^ m+l 



m I m+l 

« « 2m+l 



In our scheme, we let the rate to be ^ 

As /3's and /3"s are choice randomly, we have 



2n 



lim 



N 



For a large N, the rate of i's in {1,2,---,A^} that 
satisfy = f3i would be approximately i, then Bob 
should remove some i's from the {1, 2, ■ • • , A^}. The 
number of i's that should be removed can be calcu- 
lated as following: 

If ^^f^ < ^, there arc more i's that satisfy f3[ — (3% 
than required, so Boh shoiild remove x i's that satis- 
fying = /3j from {1, 2, ■ • • , A}, x can be calculated 
as follows: 



A^-a; 

X 



2m +1 

2n 

n — (2m + 1) 
2n- (2m-M) 



N 



4.3 Quantum m-out-of-n OT 



the m-out-of-n QOT, Alice has input 
' ' Bob has input ci, C25 • • • , c^t^. The output 



In 

&1,&2 

of the scheme is bci , 6c2 > 



Protocol 4.1 m-out-of-n 

QOT{bi, 62, • • • , bn){ci, 02,..., Cm) 



1. DO^, 



• Alice picks a random bit r, <— (|) 

• Alice picks a random bit A (§) and defines 

her emission basis (|</?j), |</?^)) ^ Xlft 

• Alice sends to Bob a photon Wi with polar- 
ization [\iPi),\iPi-)]ri 

• Bob picks a random bit (3'i ^ and mea- 
sures TTj in basis {\0i), \9:^)) ^ [4>X]/3' 



2. DO^^^ 



• Bob 

r' ^ 

N 



0, ifiTi is observed as \9i) 

1, ifwi is observed as \9f-) 



sets 



• Bob runs commit{r[), commit {(3'-) , 

com,m,it{r'j^_^_^), commit{l3'jq _^^) with Alice 

• Alice picks di ^ (§) and announces it to 
Bob 

• Bob runs unveil{r'j^j^._^_^),unveil{(3'j^^._^^) 

• Alice checks that 0Ndi+i = f^Ndi+i ~^ 

TNdi+i = I'Ndi+i 

• if di = then Alice sets [3. 
ri ^ rN+i and Bob set j3[ 

'''N+i 



/3. 



N+i 

and ; 



and 



3. Alice announces her choices (3i(32 



P'n+i 

■ ■ ■ /3jv to Bob 



If ^""'"^ < i Bob runs unveilir' ), 
unveil{j3'y^.) that satisfying (3uj = (3'^., Alice 
checks that ^ P'u- ^ "^uj = r'^ 



\ Boh runs unveil{r'^.) , 



• If > 

unveil{P'^.) that satisfying 7^ (3'^. 

5. Bob randomly selects n subsets /i,/2, •••,/„ C 
{1, 2, • • • , A''} — {ui, U2, . ■ . , Ux} subject to \Ii \ = 
I/2I = ■ • • = \In\ = {N-x)/n, Vi ^ k, Ijnlk = 

and Vj G /ci U U • • • U ; Pj = P'j, and he 
announces {Ii, I2, ■ ■ ■ , In) to Alice 

6. Alice receives ( Ji, J2, ■■• ,Jn) ={Ii,h, • • ■ , In), 
computes and sends b\ <— 61 © ^j, ^2 <— 

® 0je7„ rj to Bob 

7. Bob receives (61, 62, • • ' > ^n) and computes b^ •f— 



5 Analysis 

In the TO-out-of-n QOT, Bob must read the photons 
sent by Alice as they come: he cannot wait and read 
them later, individually or together. We assume that 
the channel used for the quantum transmission is free 
of errors, so that it is guaranteed that = r, whenever 

= Pi- we now show that under the assumption this 
protocol satisfies the statistical version of the above 
constraints. 

5.1 Correctness 

Lemma 5.1 Hoefding inequality [6J Let 

Xi,X2, - ■ ■ , Xn he total independent random variables 

with identical probability distribution so that E{Xi) = 
jjL and the range of Xi is in [a, b] . Let the simple av- 
erage Y = (Xi + X2-\ h Xn)/n and 5 > Q, then 



Pr[\Y - >6] <2-e-^ 

So, if Pr[X^ = 0] = Pr[X, = 1] = i, then /x = 
and a = 0,b= 1, we have the following inequality 



" Y. 1 



We show that most of the time the output is cor- 
rect if the parties abide to their prescribed protocol. 
In a given run of the protocol. Bob will succeed in 
computing 6^ , > ■ • ■ > properly provided satisfy- 
ing the following conditions : 
when 222±i < 1 



2n 



orwhen^>i 

#{i\Pi = Pi} >{N- x)m/n 

Because in that case he can form /d , , • • • , Icm 
prescribed and then he can compute the output bit as 
bci ® ®jeic- '^'3 which is 



Sc.© =6e.© r, r; =6,© 



rj©r^- 



rj i£ir'j =0 makes 



because is la ■ Since pi = P'^ . . m ^' 
all the right terms vanish, we end up with 

K © = ba 
jeici 

Therefore the protocol gives the correct output unless 
satisfying the following conditions : 
when ^ < i 

#{i\Pi = PI} - X < {N - x)m/n 

or when > i 

#{i\pi = PI} < (AT - x)m/n 

in which case Bob is unable to form the set 
/ci , -fc2 1 • • • ) ^ prescribed. Now, we can calculate 
the probability that Bob can not form 1^, Ic2, ■ ■ ■ , Ic 
If < 1 (i.e. 2m + l<n,x= ^^^^^N), the! 
the probability that Boh can get less than m bits is 
given by 

P[*Wi = P'i}-x<{N- x)m/n] 
= Pmi\pi = Pl}<iN-x)m/n + x] 

= P[f2 Pi(BP'i>N-{{N- ^pS2^^±^N)m/n 



i=l 

n - (2m + 1) 
'2n- (2m + l) 



TV)] 



2n - (2m + 1) 



n — (m + 1) 



^"^'^ ''^ " ^ 2n-(2m+l)' 
= ^[^E/^^^A-> 2n-(2m + l) ] 



TV^"'^'"' 2' 2n-(2m-M) T 

1=1 ^ ' 



It is easy to check that 
Given that P\Pi © /?■ 



2n-(2m+l) 2 



i > 0. 



1/2, let iV > 



In 2 



( 2n-(2m+l) 2 ) 

by 



YT^, this probability can be easily bounded 



subsets of size 



N-x 



for i = l.i = 2. . . . as well as 



< 2 • e~^'^^2n-(2m+l)-5)^ 

= 2 • e"'^^2„-{2r+i 



■'^(2ji-(2m+l) 2) .g ^(2n-"(2m+l) 2) 



< e~''^'^2n-(2r+l)-5)^ 



= e 



JV 



^£ = g '-2n-(2m+i) 2^ ^ uslug Hoefdiug's inequal- 
ity. 

If ^ > I (i-e- 2m + 1 > n, 0= = ^^^i^), then 
the probability that Bob can get less than m bits is 
given by 

P[#m = fil}<{N-x)m/n] 
= P[f:P,®Pl>N-{N-^±^N)m/n] 

N 



JV 



It is easy to check that i — 2m+i > 0- 
Given that P[/3i © = 1] = 1/2, let iV > 
this probability can be easily bounded by 



In 2 



^2 2m + ly 



< 2-e-2-^(^-^)' 

= 2 •e-^(5-2;gTT)' .6-^(5-2;^)' 



< e 



= £^ 

/ 1 _m_\2 

(e = e~^2-2TM^^ < 1) using Hoefding's inequality. 
So, Bob can get less than m bits that sent from Alice 
with probability less than . 

5.2 Privacy 

We analyse the privacy of each party individually 
as if he or she is facing a malicious opponent. 

5.2.1 Privacy for Bob 

Theorem 5.1 Alice can not find out much about 

Cl , C2 , . . . , Cm ? 

Proof. The only things Alice gets though the proto- 
col are the sets Ji, J2, ■ ■ ■ , Jn- A's and /3,['s are in- 
dependent from each other. Ji, J2, • ■ • , •/« will have 
uniform distribution over all possible pairs of disjoint 



for i = n. Therefore Alice learns nothing about the 

Ci,C2,...,Cm- □ 

5.2.2 Privacy for Alice 

Theorem 5.2 Except with probability at most e", 
Bob can not find out much information about more 
that m of bi, 62, • • • , bn- 

Proof. The probability of that Bob gets more than m 
bits (i.e. get at least m+1 bits). So 

If ^ < i (i.e. 2m+ 1 < n, . = ^.^^^N), 
the probability that Bob can get more than m+1 bits 
is given by 

P[#{i|/3i = (31} -x>{N-x){m+ l)/n] 
= Pmi\0i = Pl}>{N-x){m + l)/n + x] 

N 



2n-{2m+l) 



N){m 



, , , n — (2m + 1) , 

+1) n H 5- '-N)] 

" 2n- {2m + I) 

1 ^ 11 



n — m 



2' 2 2n-(2m-|-l)' 

It is easy to check that i — 2n-(2m+i) ^ ^■ 
Given that P[A © PI = 1] = 1/2, let N > 
^" ^ this probability can be easily bounded 



tl n-m \9, ) 

V 2 2»i-(2m+l) ' 

by 



-'^(2 2n-(2m+l)) .g ''^(2 2n-(2Tn+l) ) 



< 2 • e~^'-'^^5~2„-(2m+l)) 

= 2 • e~^^^~2„ "(2^+1))^ . g 

< 5-^(5- 2n-(2m + l)) 

= £ 

1 n — m ^2 



-JV 



(e = e 2n-(2m+i)^ < 1) uglug Hoefding's inequal- 
ity 

If ^ > ^ (i-e- 2m + 1 > n, X = ^^^i^), then 
the probability that Bob can get more than m -|- 1 bits 
is given by 

P[#{i\0, = Pl}>{N-x)im + l)/n] 
= Pit: P.®P[<N-{N- " 7V)(m 



TO + 1 . 

2m +V 



i=l 



It is easy to check that 



2m+l 



i > 0. 



Given that © = 1] = 1/2, let N > 
the probabihty can be easily bounded by 



In 2 



- m + l ly^; 
2m + l 2 J 



< 



< 



2-e 

N 



= e 

[e = e~^2T^-5) < 1) using Hoefding's inequaUty. 

Finally, we show that Bob cannot get more than to 
bits by attacking the weak quantum bit commitment. 
Let the probability that he can cheat Alice in the weak 
QBC be p (0 < p < 1), the probability that he can get 
one more bit is p ^ < e (e = p2,i j. 

So, Bob can get more than m bits that sent from 
Alice with probability less than . 

□ 

In the l-out-of-2 OT scheme, n = 2 and to = 1, 
= f > 5 ) then the probability is less than 



-JV.2(, 



1 ^2 »r o/ 2 1 \2 AT 

"2) =2-e~ ^^3-2) =2-e~i8 



6 Conclusions and Future Work 

In this paper, we construct an quantum TO-out-of- 
n OT based on the transmission of polarized light, 
which is an extension of the quantum l-out-f-2 OT, 
and prove that this scheme satisfies statistical correct- 
ness and statistical privacy, i.e. except with a small 
probability e^. Bob can get the correct to bits, and 
cannot get one more bit than required. 

We think the following points is interesting for fur- 
ther research: 

1. Implement and apply the QOT in the real world. 

2. Find a QOT satisfies perfect correctness and per- 
fect privacy. 
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